Lawful intercept of call content on the public switched telephone network (PSTN) is mandated functionality by the Communications Assistance for Law Enforcement Act (CALEA) in the United States and by similar legislation in many other countries. Phone calls carried over Internet protocol (IP) networks must comply with the same lawful intercept rules as calls carried over the traditional PSTN. Lawful intercept of call content over IP networks is difficult due to the wide range of protocols and codecs that are deployed. While the PSTN network typically carries audio data using G.711 over a dedicated time-division multiplexing (TDM) channel, voice over IP (VoIP) networks can be encoded using many codecs (e.g., G.711, G.729, iLBC) and transmitted using different protocols (e.g., real-time transport protocol (RTP), secure teal-time transport protocol (SRTP)).
There are four known methods for intercepting IP-based call content. IP-based call content may be intercepted at a network gateway when the call content is between a communications device on a VoIP network and a communications device on a traditional wired or wireless telephone network. This method allow for the interception of audio, but not video, data, or encrypted content. IP-based call content may also be intercepted at the session border controllers of the VoIP network. The session border controller may only be able to see the signaling from one party to a call. If lawful intercept applies to the second party to a call, the session border controllers may not know this and may not intercept the call. A third method allows for the interception of IP-based call content at routers and switches on an IP-network. This method requires that every packet of data passing through a router or switch be scanned to determine whether or not the packet needs to be intercepted. The VoIP provider generally has no control over this method of interception, as the routers and switches on the an IP-network outside of the VoIP provider's network belong to parties other than the VoIP provider. A fourth method allows for the interception of IP-based call content at the packet-based media processor through use of conferencing bridge. This method is limited to audio call content only, as video, data, and encrypted content may not intercepted. Further, the conferencing bridge must understand the audio codec being used by the communications devices on the call. This may require the conferencing bridge to force the communications devices on the call to change the codec they use, which may allow the parties using the communications devices to discover that the call is being intercepted.
As a first way, a PSTN gateway may be used to redirect a copy of call content to a surveilling agency. PSTN gateways may only accept a standard RTP stream containing audio, making it impossible for the gateways to provide the original user datagram protocol (UDP)/IP/RTP packet header, an abstract syntax notation number one (ASN.1) envelope as defined in T1.678, or other packet or envelope types required by country-specific rules and regulations. Further, the PSTN gateway may not accept video, T.38 signaling, or any other IP-based media protocols.
As a second way, IP-based call content may also be intercepted by session border controllers (SBCs). A session border control may redirect a copy of call content to a surveilling agency in the same manner as a PSTN gateway. surveilling agency The SBC may only see signaling for one of the two parties to a call, because the other party is hidden by an application server. If lawful intercept applies to the second party, the SBC may not know this because it can only see the signaling from the first party. The SBC may therefore not initiate the intercept of a call when the presence of the second party would make interception appropriate.
As a third way, IP-based call content may also be intercepted at an Ethernet switch or router on an IP-network in the path of the call content. As the IP packets, such as, for example, RTP, UDP, TCP/IP, and T.38 packets, containing the call content pass through a switch or router that is part of the network over which the call is routed, the switch or router may send copies of the IP packets to a surveilling agency. However, this may be processor intensive, since the switch or router must examine every single IP packet passing through to determine if the packet contains call content that is to be intercepted.
As a fourth way, IP-based call content may be intercepted at a packet-based media processor using a conferencing bridge. A call between two communications devices may be connected through a packet-based media processor on the VoIP provider's network. The packet-based media processor may setup a conferencing bridge. Each of the parties to the call may be connected to the conferencing bridge via a two way connection, so that each party can both talk and listen to the other parties on the call. A surveilling agency may be connected to the conferencing bridge via a one way connection, so that surveilling agency may listen to the other parties on the call, but may not talk, concealing the presence of the surveilling agency from the other parties. However, this may only work for audio content, the surveilling agency will receive only one audio stream containing audio from all parties to the call, and the conferencing bridge may be required to change the audio codec used by the communications devise on the call, which may increase the risk of the call interception being detected.
FIGS. 1A, 1B, 1C, and 1D depict four prior art systems for intercepting call content.
First communications device 101 may be any device suitable for communication, including making and/or receiving calls, over a VoIP network. For example, first communications device 101 may be a computer, set-top console, fax machine, VoIP handset, cellular handsets with VoIP capability, or any other handheld or stationary device with VoIP capability.
Second communications device 102 may be any device suitable for telecommunications over any communications network. For example, second communications device 102 may be any computer, phone, fax machine, set-top console, or handheld device connected to any communications network capable of receiving calls from a communications device connected to a VoIP network.
Communication between the first communications device 101 and the second communications device 102 may always travel over a VoIP network for at least a portion of the trip between the first communications device 101 and the second communications device 102. The first communications device 101 may be connected directly to a VoIP network, for example, through a VoIP service provider, or may be connected to another communications network which routes communications traffic over a VoIP network. The second communications device 102 may also be connected directly to a VoIP network, or may be connected to any other communications network which may receive communications traffic from a VoIP network. For example, the first communications device 101 may be a VoIP handset, and the second communications device 102 may be a landline connected to a traditional phone service. The communications from the first communications device 101 may travel of the VoIP network to which the first communications device 101 is connected, and then over the non-VoIP network to which the second communications device 102 is connected.
VoIP provider's network 103 may be an IP-network, or portion thereof, controlled by provider of VoIP services. The VoIP provider's network 103 may contain hardware used for the creation of IP-networks, such as, for example, routers, switches, hubs, servers, firewalls, and may have incoming and outgoing connections to other IP-networks. For example, the VoIP provider's network 103 may be the Internet, a section of the Internet controlled by the VoIP provider, or may be a proprietary IP networks, managed IP networks, or service provider's IP networks.
Router/switch 104 may be any router or switch used for handling routing and/or switching of traffic on an IP network, such as, for example, the Internet. For example, the router/switch 104 may be a router belonging to an internet service provider (ISP), handling the routing of traffic originating from the ISP's customers, and from other users of an IP network when the traffic passes through the network belonging to the ISP.
Session Border Controller (SBC) 105 and SBC 107 may be any computer, computing device, or the like on the border of the VoIP provider's network 103. For example, the SBC 105 and the SBC 107 may be hardware firewalls on the border of the VoIP provider's network 103 and may be responsible for monitoring all traffic entering and leaving the VoIP provider's network 103.
Application server 106 may be any computer, computing device, or the like suitable to function as a server on the VoIP provider's network 103. For example, the application server 106 may be a dedicated server. The application server 106 may control the routing of call content traveling over the VoIP network and the allocation of packet-based media processor resources for various calling features. For example, application server 106 may allocate proper packet-based media processor resources for videoconferencing and teleconferencing.
Packet-based media processor 110 may be any computer, computing device, or the like suitable to function as a server on the VoIP provider' network. For example, the packet-based media processor 110 may be a dedicated server. The packet-based media processor 110 may provide resources, such as, for example, processing cycles, required for various calling features, including, for example, videoconferencing, teleconferencing, speech recognition, and any other calling features provided by the VoIP network provider.
Network Gateway 111 may be any computer, computing device, or the like that may function as a gateway on a PSTN network. For example, the network gateway 111 may be a PSTN gateway. The network gateway 111 may function as a gateway between an IP-network, and VoIP networks on the IP-network, and wired and wireless telephone networks, allowing communication to take place between a communications device on a VoIP network and a communications devices on the wired and wireless networks.
Surveilling agency computer system 112 may be any computer, computing device, or the like, belonging to a surveilling agency or any other entity, such as, for example, a contractor or subcontractor, acting on behalf of a surveilling agency. Surveilling agencies may include, for example, the Federal Bureau of Investigation, the Central Intelligence Agency, the National Security Agency, the Department of Homeland Security, other federal and state law enforcement agencies and agencies supporting law enforcement in both the United States and foreign nations, and international organization such as, for example, Interpol. For example, surveilling agency computer system 112 may be a server located in the surveilling agency headquarters, a laptop or handheld computing device belonging to a field agent of the surveilling agency, a personal computer commandeered by the surveilling agency, etc. The surveilling agency computer system 112 may be controlled by the surveilling agency that has placed one or both of the first communications device 101 and the second communications device 102 under surveillance, as determined by the application server 106.
Collection function 113 may be any combination of software or hardware on the surveilling agency computer system 112 suitable for handling incoming call content. For example, collection function 113 may be a software program that records incoming call content to a computer readable medium accessible to the surveilling agency computer system 112. The recorded call content may be accessed on the surveilling agency computer system 112 after recording. As another example, collection function 113 may play back the incoming call content in real time.
Conferencing bridge 114 may be any combination of software and hardware on the packet-based media processor 110 suitable for handling a conference call. For example, conferencing bridge 114 may be software on the packet-based media processor 110 activated by the packet-based media processor 110 to set up a conference call between the first communications device 101 and the second communications device 102. A conference call may be similar to a normal call, except that more than two parties are allowed to be connected to the call at the same time.
FIG. 1A depicts the first previously used method for intercepting IP-based call content. As illustrated in FIG. 1A, the first previously used method for intercepting call content is described in, for example, U.S. Pat. No. 7,006,508 “Communication network with a collection gateway and method for providing surveillance services” to Bondy et. al. (Bondy), U.S. Pat. No. 6,870,905 “Wiretap implemented by media gateway multicasting” to Pelaez et. al. (Pelaez), and U.S. Pat. No. 7,092,493 “Methods and systems for providing lawful intercept of a media stream in a media gateway” to Hou et. al. (Hou). In this previous method, call content is intercepted at the network gateway 111. The first communications device 101 on the VoIP network may be used to initiate a call to the second communications device 102 on a telecommunications network which may be wired, wireless, or a combination of wired and wireless.
The first communications device 101 may initiate the call by sending call initiation data to the application server 106. Call initiation data may be Session Initiation Protocol (SIP) packets, Media Gateway Control Protocol (MGCP) packets, H.323 packets, or any other suitable data or packet type, and may contain data conforming to Session Description Protocol (SDP). The application server 106 may determine from the call initiation data that the call content needs to be routed through the network gateway 111, in order for the call content to reach the second communications device 102 on the traditional telephone networks. Call initiation data may be sent to the network gateway 111, and call content in the form of RTP packets may be sent from the first communications device 101 to the network gateway 111.
At the network gateway 111, the RTP packets may be converted into, for example, a TDM signal and transmitted over the telecommunications network to the second communications device 102. Call content from the second communications device 102, in the form of a TDM signal, may be transmitted over the telecommunications network to the network gateway 111, where the call content may be packetized into RTP packets. These RTP packets may be transmitted over the IP-network to the first communications device 101.
Call content may be intercepted at the network gateway 111. If either the first communications device 101 or the second communications device 102 is under surveillance, the network gateway may be instructed to copy the RTP packets incoming from the first communications device 101 and created from the call content incoming from the second communications device 102 and to transmit the copies to the surveilling agency computer system 112. The collection function 113 may handle the incoming call content according to the setup of the collection function 113. Because the network gateway 111 only understands RTP packets, only RTP packets containing an audio stream may be sent to the surveilling agency computer system 112. This may prevent the interception of any non-audio call data, such as, for example, video data or desktop collaboration data. Additionally, the network gateway 111 cannot copy and transmit Secure RTP (SRTP) packets, which may use 128-bit encryption, to the surveilling agency computer system 112. This may prevent the interception of any call data, audio or otherwise, that is encrypted.
FIG. 1B depicts the second previously used method for intercepting IP-based call content. As illustrated in FIG. 1B, the second previously used method for intercepting IP-based call content is described, for example, in Bondy. Call content is intercepted at the session border controllers 105 and/or 107. The first communications device 101 on the VoIP network may be used to initiate a call to the second communications device 102 on any VoIP or traditional wired or wireless telephone network.
The first communications device 101 may initiate a call to the second communications device 102, as described above. Call content in the form of RTP packets from the first communications device 101 may be transmitted over IP-networks, such as, for example, the Internet, to the VoIP provider's network 103. The RTP packets may reach the session border controller 105 on the edge of the VoIP provider's network 103. The session border controller 105 may help route the RTP packets through the VoIP provider's network 103, where the RTP packets will be directed to their destination. The RTP packets may pass through session border controller 107 upon leaving the VoIP provider's network 103. The RTP packets may then traverse other IP-networks, such as, for example, the Internet or managed IP networks, or service provider's IP networks, to reach the second communications device 102. Call content may be transmitted from the second communications device 102 to the first communications device 101 in the same manner, reaching session border controller 107 at the edge of the VoIP provider's network 103, and then session border controller 105 upon leaving the VoIP provider's network 103.
If either of the first communications device 101 or the second communications device 102 is under surveillance, the session border controllers 105 and 107 may be instructed to copy the incoming RTP packets from the first communications device 101 and the second communications device 102 and transmit the copies to surveilling agency computer system 112. The collection function 113 may handle the incoming call content according to the setup of the collection function 113. Each of the session border controllers 105 and 107 surveilling agency may only see signaling for one of the two parties to a call, because the other party is hidden by an AS. If lawful intercept applies to the second communications device 102, the session border controllers 105 may not know this because it can only see the signaling from the first communications device 101. The session border controller 105 may therefore not initiate the intercept of a call when the presence of the second communications device 102 would make interception appropriate. The session border controller 107 may face the same limitations with respect to the first communications device 101.
FIG. 1C depicts the third previously used method for intercepting IP-based call content. As illustrated in FIG. 1C, the third previously used method for intercepting call content is described in, for example, Bondy. Call content is intercepted at the router/switch 104. The first communications device 101 on the VoIP network may be used to initiate a call to the second communications device 102 on any VoIP or traditional wired or wireless telephone network.
When the first communications device 101 transmits call content to the second communications device 102, and vice versa, the call content, in the form of IP packets, such as, for example, RTP, UDP, TCP/IP and T.38 packets, must traverse an IP-network. In traversing the IP-network, the IP packets may be routed and switched through the router/switch 104, which may be one of the routers and switches responsible for routing IP packets on the IP-network. If either the first communications device 101 or the second communications device 102 is under surveillance, call content may be intercepted as it passes through the router/switch 104 on its way to or from the VoIP provider's network 103.
In order for call content to be intercepted by the router/switch 104, the router/switch 104 may be instructed to check every incoming IP packet to determine whether the incoming IP packet is part of the call content between the first communications device 101 and the second communications device 102. When an IP packet that is part of the call content between the first communications device 101 and the second communications device 102 is detected by the router/switch 104, the router/switch 104 may copy the IP packet and transmit the copy to the surveilling agency computer system 112. The collection function 113 may handle the incoming call content according to the setup of the collection function 113. The computational resources required to check every incoming IP packet passing through the router/switch 104 are immense. The result of attempting to check every incoming IP packet using currently available routing and switching hardware would be a slowdown in traffic passing through the router/switch 104, as each packet was checked to determine if the packet belonged to an intercepted call.
FIG. 1D depicts the fourth previously used method for intercepting IP-based call content. Call content is intercepted at the packet-based media processor 110 through the use of the conferencing bridge 114. The first communications device 101 on the VoIP network may be used to initiate a call to the second communications device 102 on any VoIP or traditional wired or wireless telephone network. This may require the first communications device 101 to transmit call initiation data to the application server 106. The application server 106 may examine the call initiation data to determine if either the first communications device 101 or the second communications device 102 is under surveillance.
If either the first communications device 101 or the second communications device 102 is under surveillance, the application server 106 may instruct the packet-based media processor 110 to setup conferencing bridge 114. The application server 106 may then modify the call initiation data so that the first communications device 101 and the second communications device 102 send call content to the conferencing bridge 114 on the packet-based media processor 110, setting up a conference call. The conferencing bridge 114 may then connect the surveilling agency computer system 112 to the conference call between the first communications device 101 and the second communications device 102 via a one way, listening only, connection. As part of the conference call, the surveilling agency 112 may listen to the audio content transmitted between the first communications device 101 and the second communications device 102, intercepting the call content.
The conferencing bridge 114 may only be able to handle unencrypted audio content, and may not be able to set up a conference call with video, data, or encrypted content. The conferencing bridge 114 may also be required to force the first communications device 101 and the second communications device 102 to use an audio codec with which the conferencing bridge 114 is compatible. The forced change of audio codec may be detected by the users of the first communications device 101 and the second communications device 102, allowing the user to discover that the call is being intercepted.
Each of the four prior art methods of intercepting IP based call content may be used when more than two communications devices participate in the call, such as, for example, during a conference call.
Also in the prior art, VoIP providers currently use packet-based media processors to provide additional calling features on their networks. These calling features may include, for example, voice mail, speech recognition, teleconferencing, video conferencing, and desktop collaboration. Calls requiring the use of these features are routed through the VoIP provider's network 103 to the VoIP provider's packet-based media processor, where the computing resources in the form of software and/or hardware needed to implement the features may be provided.
FIG. 2 depicts an exemplary embodiment of the use of a packet-based media processor in a VoIP network according to the prior art. The first communications device 101 may initiate, for example, a video conference with the second communications device 102. The call initiation data transmitted from the first communications device 101 to the application server 106 may indicate that the call is to be a video conference. The application server 106 may then transmit information to the packet-based media processor 110, instructing the packet-based media processor 110 to set up a video conferencing module 201, to be used by the first communications device 101 and the second communications device 102. Video conferencing module 201 may be any combination of hardware and software on the packet-based media processor 110 suitable for providing the necessary resources for the routing of video and audio data between the participants in a video conference call.
Call content transmitted from the first communications device 101, in the form of a stream of RTP packets containing audio and a stream of RTP packets containing video, is then routed to the packet-based media processor 110 upon reaching the VoIP provider's network 103, for example, at session border controller 105. The video conferencing module 201 may handle any necessary processing of the call content, including the audio and video, to ensure the video conference functions properly. The call content is transmitted from the packet-based media processor 110 to the second communication device 102. Call content transmitted by the second communications device 102 is handled in a likewise manner, being routed to the packet-based media processor 110 upon reaching the VoIP provider's network 103, for example, at session border controller 107. If the video conference call has more than two participants, the video conferencing module 201 may handle any necessary copying of the audio and video and manage the transmission of the copied audio and video to all other communication devices participating in the video conference call.